Please help with HJT

Unknown

Hi folks... Looks like I got rid of that awful home search assistant, (or most of it?) because I'm still having a problem, The BHO "HKCU\software\microsoft\InternetExplorer\main,LocalPage "
keeps coming back. I will clean it and run HJT again and there it is, back again... please, any ideas?

When I look in the registry the section "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"
is blank on the right hand side.

Any help graciously accepted.

Buckeye_Sam

Please post a new hijackthis log so we can see everything more clearly.

artzygal

Ack, I thought I did... HAHAHAHAHAHAH! I must be losing my mind after this hijack 3 days ago. Have done nothing else for these days but try to fix it. The odd thing is, I went in to my reg and changed the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main_local to what it used to be..... "%SystemRoot%\\system32\\blank.htm" (no quotes), shut it down, opened it back up and the entry was gone... nothing there again... hmmmmmmm

Logfile of HijackThis v1.98.2
Scan saved at 10:56:13 AM, on 12/1/2004
Platform: Windows XP SP1, v.1150 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
H:\WindowBlinds\wbload.exe
D:\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\Explorer.EXE
E:\DiskeeperServer\DKService.exe
H:\GHOST2~1\GHOSTS~2.EXE
D:\NAV\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
H:\Spam Inspector Outlook Express Edition\piiserviceOE.exe
C:\WINDOWS\System32\S3tray2.exe
D:\NAV\navapw32.exe
F:\Java\j2re1.4.2_06\bin\jusched.exe
E:\NoAds\NoAds.exe
F:\roboform\RoboTaskBarIcon.exe
H:\Spy Sweeper\SpySweeper.exe
C:\Program Files\Wacom\TabUserW.exe
D:\PerfectMenu2\pmenu32.exe
F:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - D:\Pop-Up Stopper Pro\CCHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\NAV\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\FLASHG~1\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - D:\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [piiserviceOE] "H:\Spam Inspector Outlook Express Edition\piiserviceOE.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] D:\NAV\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [NoAds] "E:\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [RoboForm] "F:\roboform\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpySweeper] "h:\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PerfectMenu2.lnk = D:\PerfectMenu2\pmenu32.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Atomica... - file:E:\ATOMICA\ATOMIC~1\Html\griemenu.htm
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://F:\roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - F:\FlashGet1\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\FlashGet1\jc_link.htm
O8 - Extra context menu item: Fill Forms &] - file://F:\roboform\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://F:\roboform\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Decompiler - e:\swfDecompiler\InternetExplorer.htm
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\roboform\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Yahoo!\Messenger\yhexbmes11072.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Yahoo!\Messenger\yhexbmes11072.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\roboform\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\FLASHG~1\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\FLASHG~1\flashget.exe
O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - e:\swfDecompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - e:\swfDecompiler\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.cox.net/custsup/supportaction/sdccommon/download/tgctlar.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {57BBF06E-D997-11D3-8997-00104BD12D94} (PCPDiskHealth Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093277655055
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite22/fvlite.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex/controls/agent2/tv_enua.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {DFD181E0-5E2F-11CE-A449-00AA004A803D} (Microsoft Forms 2.0 ScrollBar) - http://activex.microsoft.com/activex/controls/mspert10.cab

artzygal

Also, in Adaware this keeps coming back:

Ad-Aware SE Scanning Result, 12-1-2004 1:19:31 PM
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Vendor Type Category Object Comment
CoolWebSearch Regkey Malware HKEY_CLASSES_ROOT:clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\
CoolWebSearch RegValue Malware HKEY_CURRENT_USER:software\microsoft\internet explorer\main "Search Bar"
CoolWebSearch RegValue Malware HKEY_LOCAL_MACHINE:software\microsoft\internet explorer\main "Use Search Asst"
CoolWebSearch RegValue Malware HKEY_LOCAL_MACHINE:software\microsoft "set"

Buckeye_Sam

You have Spysweeper running in the background. It may be blocking your registry changes. Try disabling it to see if you can make the changes then.

artzygal

Tried it, so far it's ok. I love Spysweeper, it tells me when something is trying to hijack my home page.